diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl similarity index 97% rename from staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl rename to staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl index d33917090f..21a275c6dc 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl @@ -16,7 +16,7 @@ package android.hardware.security.see.storage; /** Determines how early during the boot process file is able to be accessed. */ -enum FileAvailability { +enum Availability { /** Available before userdata is mounted, but after android has booted. */ BEFORE_USERDATA, diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl deleted file mode 100644 index 1a94eb293e..0000000000 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright 2024 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package android.hardware.security.see.storage; - -import android.hardware.security.see.storage.ReadIntegrity; - -parcelable DeleteOptions { - /** - * Set to acknowledge possible files tampering. - * - * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_* - * service-specific code. - */ - ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER; - - /** - * Allow writes to succeed while the filesystem is in the middle of an A/B update. - * - * If the A/B update fails, the operation will be rolled back. This rollback will not - * cause subsequent operations fail with any ERR_FS_* code nor will need to be - * acknowledged by setting the `readIntegrity`. - */ - boolean allowWritesDuringAbUpdate = false; -} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl similarity index 59% rename from staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl rename to staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl index 733b5b06fa..ea8db534d2 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl @@ -15,13 +15,19 @@ */ package android.hardware.security.see.storage; -import android.hardware.security.see.storage.FileAvailability; -import android.hardware.security.see.storage.FileIntegrity; +import android.hardware.security.see.storage.Availability; +import android.hardware.security.see.storage.Integrity; -parcelable FileProperties { - FileIntegrity integrity = FileIntegrity.TAMPER_PROOF_AT_REST; - FileAvailability availability = FileAvailability.BEFORE_USERDATA; +/** + * Specifies minimum security requirements for a Secure Storage filesystem. + */ +parcelable Filesystem { + Integrity integrity = Integrity.TAMPER_PROOF_AT_REST; + Availability availability = Availability.BEFORE_USERDATA; - /** Whether the file is reset when user data is wiped. */ + /** + * Whether the file is reset on factory resets. Factory resets will not be reported as + * tampering. + */ boolean persistent; } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl index a0a9f3d25b..5d9a761d65 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl @@ -26,15 +26,15 @@ interface IDir { * * @maxCount: * the maximum number of filenames to return. A @maxCount of 0 signifies no limit on the - * number of filenames returned. + * number of filenames returned. * * Returns: * An ordered list of filenames. If @maxCount > 0, the length of the returned list will be - * less than or equal to @maxCount. + * less than or equal to @maxCount. * * May return service-specific errors: - * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the - * dir was opened with does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ @utf8InCpp String[] readNextFilenames(int maxCount); } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl index ff26aa4d01..fd2032e191 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl @@ -32,8 +32,8 @@ interface IFile { * the sequence of bytes at [offset, offset + size) in the file * * May return service-specific errors: - * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the - * file was opened with does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ byte[] read(long size, long offset); @@ -47,8 +47,8 @@ interface IFile { * the number of bytes written successfully * * May return service-specific errors: - * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the - * file was opened with does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ long write(long offset, in byte[] buffer); @@ -56,8 +56,8 @@ interface IFile { * Reads this file's size. * * May return service-specific errors: - * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the - * file was opened with does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ long getSize(); @@ -71,8 +71,8 @@ interface IFile { * the file's new size * * May return service-specific errors: - * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the - * file was opened with does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ void setSize(long newSize); @@ -88,8 +88,8 @@ interface IFile { * - ERR_NOT_FOUND if no file exists at @destPath and @destCreateMode is `NO_CREATE` * - ERR_ALREADY_EXISTS if a file already exists at @destPath and @destCreateMode is * `CREATE_EXCLUSIVE` - * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the - * file was opened with does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ void rename(in @utf8InCpp String destPath, in CreationMode destCreateMode); } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl index be3c045522..022de9a209 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl @@ -15,7 +15,7 @@ */ package android.hardware.security.see.storage; -import android.hardware.security.see.storage.FileProperties; +import android.hardware.security.see.storage.Filesystem; import android.hardware.security.see.storage.IStorageSession; /** @@ -28,20 +28,18 @@ interface ISecureStorage { const int ERR_NOT_FOUND = 2; const int ERR_ALREADY_EXISTS = 3; const int ERR_BAD_TRANSACTION = 4; - - const int ERR_FS_RESET = 5; - const int ERR_FS_ROLLED_BACK = 6; - const int ERR_FS_TAMPERED = 7; + const int ERR_AB_UPDATE_IN_PROGRESS = 5; + const int ERR_FS_TAMPERED = 6; /** * Starts a storage session for a filesystem. * - * @properties: - * the minimum filesystem properties requested for the session. + * @filesystem: + * The minimum filesystem properties requested. * * May return service-specific errors: * - ERR_UNSUPPORTED_PROPERTIES if no filesystems exist which meet the minimum requested - * requirements + * requirements */ - IStorageSession startSession(in FileProperties properties); + IStorageSession startSession(in Filesystem filesystem); } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl index cd126b8a02..1b70a0e2ac 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl @@ -15,12 +15,10 @@ */ package android.hardware.security.see.storage; -import android.hardware.security.see.storage.DeleteOptions; +import android.hardware.security.see.storage.CreationMode; import android.hardware.security.see.storage.IDir; import android.hardware.security.see.storage.IFile; import android.hardware.security.see.storage.OpenOptions; -import android.hardware.security.see.storage.ReadIntegrity; -import android.hardware.security.see.storage.RenameOptions; /** * Interface for a Secure Storage session @@ -66,8 +64,8 @@ interface IStorageSession { * May return service-specific errors: * - ERR_NOT_FOUND * - ERR_ALREADY_EXISTS - * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity - * does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ IFile openFile(in @utf8InCpp String filePath, in OpenOptions options); @@ -81,10 +79,10 @@ interface IStorageSession { * * May return service-specific errors: * - ERR_NOT_FOUND - * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity - * does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ - void deleteFile(in @utf8InCpp String filePath, in DeleteOptions options); + void deleteFile(in @utf8InCpp String filePath); /** * Renames an existing file. @@ -95,19 +93,19 @@ interface IStorageSession { * path to the file, relative to filesystem root * @destPath: * the file's new path, relative to filesystem root - * @options: - * options controlling rename behavior + * @destCreateMode: + * creation behavior for the dest file * * May return service-specific errors: - * - ERR_NOT_FOUND if no file exists at @currentPath, or if @options.destCreateMode is - * `NO_CREATE` and no file exists at @destPath - * - ERR_ALREADY_EXISTS if @options.destCreateMode is `CREATE_EXCLUSIVE` and a file exists at + * - ERR_NOT_FOUND if no file exists at @currentPath, or if @destCreateMode is `NO_CREATE` and + * no file exists at @destPath + * - ERR_ALREADY_EXISTS if @destCreateMode is `CREATE_EXCLUSIVE` and a file exists at * @destPath - * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity - * does not acknowledge + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not + * acknowledge */ void renameFile(in @utf8InCpp String currentPath, in @utf8InCpp String destPath, - in RenameOptions options); + in CreationMode destCreateMode); /** * Opens a directory from a filesystem with the given properties. @@ -116,14 +114,11 @@ interface IStorageSession { * * @path: * path to the directory, relative to filesystem root - * @readIntegrity: - * allow opening (and subsequent read/write operations) despite possible tampering for the - * directory * * May return service-specific errors: * - ERR_NOT_FOUND - * - ERR_FS_* if the filesystem has been tampered with in a way that @readIntegrity does not + * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not * acknowledge */ - IDir openDir(in @utf8InCpp String path, in ReadIntegrity readIntegrity); + IDir openDir(in @utf8InCpp String path); } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl similarity index 83% rename from staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl rename to staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl index 1879b1680d..2f7f7ab2cd 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl @@ -15,7 +15,7 @@ */ package android.hardware.security.see.storage; -enum FileIntegrity { +enum Integrity { /** REE may prevent operations, but cannot alter data once written. */ TAMPER_PROOF_AT_REST, @@ -24,10 +24,4 @@ enum FileIntegrity { * an error on read. */ TAMPER_DETECT, - - /** - * REE may alter written data. Changes other than full filesystem resets will be detected and - * reported. - */ - TAMPER_DETECT_IGNORE_RESET, } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl index 997ca62e60..9fdf9e5322 100644 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl @@ -17,7 +17,6 @@ package android.hardware.security.see.storage; import android.hardware.security.see.storage.CreationMode; import android.hardware.security.see.storage.FileMode; -import android.hardware.security.see.storage.ReadIntegrity; parcelable OpenOptions { /** Controls creation behavior of the to-be-opened file. See `CreationMode` docs for details. */ @@ -26,26 +25,9 @@ parcelable OpenOptions { /** Controls access behavior of the to-be-opened file. See `FileMode` docs for details. */ FileMode accessMode = FileMode.READ_WRITE; - /** - * Set to acknowledge possible files tampering. - * - * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_* - * service-specific code. - */ - ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER; - /** * If this file already exists, discard existing content and open * it as a new file. No semantic change if the file does not exist. */ boolean truncateOnOpen; - - /** - * Allow writes to succeed while the filesystem is in the middle of an A/B update. - * - * If the A/B update fails, the operation will be rolled back. This rollback will not - * cause subsequent operations fail with any ERR_FS_* code nor will need to be - * acknowledged by setting the `readIntegrity`. - */ - boolean allowWritesDuringAbUpdate = false; } diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl deleted file mode 100644 index cc0e4f998d..0000000000 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright 2024 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package android.hardware.security.see.storage; - -enum ReadIntegrity { - /** - * Return an error on reads if any REE alteration of the written data - * has been detected. - */ - NO_TAMPER, - - /** - * Return an error on reads if any REE alteration other than a reset - * has been detected. - */ - IGNORE_RESET, - - /** - * Return an error if any REE alteration other than a rollback to a - * valid checkpoint has been detected. (What makes a checkpoint valid is - * implementation defined; an implementation might take a checkpoint on its - * first post-factory boot. A reset is a rollback to the initial state.) - */ - IGNORE_ROLLBACK, - - // There's no `IGNORE_ALL` because if REE has done any alteration other - // than a rollback, the file contents will be known-bad data. -} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl deleted file mode 100644 index f55ea7f60e..0000000000 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright 2024 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package android.hardware.security.see.storage; - -import android.hardware.security.see.storage.CreationMode; -import android.hardware.security.see.storage.ReadIntegrity; - -parcelable RenameOptions { - /** Controls creation behavior of the dest file. See `CreationMode` docs for details. */ - CreationMode destCreateMode = CreationMode.CREATE_EXCLUSIVE; - - /** - * Set to acknowledge possible files tampering. - * - * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_* - * service-specific code. - */ - ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER; - - /** - * Allow writes to succeed while the filesystem is in the middle of an A/B update. - * - * If the A/B update fails, the operation will be rolled back. This rollback will not - * cause subsequent operations fail with any ERR_FS_* code nor will need to be - * acknowledged by setting the `readIntegrity`. - */ - boolean allowWritesDuringAbUpdate = false; -} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl deleted file mode 100644 index 0a39fdd371..0000000000 --- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright 2024 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package android.hardware.security.see.storage; - -/** Specifies types of REE tampering the filesystem may detect */ -enum Tamper { - /** REE has reset this file or the containing file system. */ - RESET, - - /** REE has rolled back this file or the containing file system to a previous state. */ - ROLLBACK, - - /** REE has made some other modification to the file. */ - OTHER, -}